Snort mailing list archives
Re: [snort-users] alert_syslog and remote syslogs: win32 only?
From: gravyface <gravyface () gmail com>
Date: Mon, 17 Aug 2009 11:52:22 -0400
On Mon, Aug 17, 2009 at 11:31 AM, Frank Knobbe<frank () knobbe us> wrote:
On Mon, 2009-08-17 at 10:09 -0400, gravyface wrote:Not quite I understand the reasoning behind forcing *nix to write to the local syslog only:'cause that's the way syslog normally works. It's just a system call to the log function. The application (Snort in this case) doesn't assemble packets. It just calls a "log" function. The syslog daemon does the rest.it seems a bit cleaner to allow local or remote from within Snort, depending on the config value, with a default of remote if Win32 vs. local for *nix in the config. No need for any filtering/syslog-ng that way.In Windows the only way to do syslog is to assemble the packet and put it on the wire. That's the only reason there is an option for a remote server. It's actually nicer to have the *nix syslog daemon send the message. For one, it's less work for Snort, less CPU cycles for logging, and Snort can allocate more CPU for what it's intended to do, analyze packets. The other reason is that, once the "log" call has been made, and Snort is done, the syslog daemon can filter the data if desired, and send to as many remote machines as you configure, without burdening Snort. Cheers, Frank
Very good explanation, Frank. Makes sense to me now. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [snort-users] alert_syslog and remote syslogs: win32 only? GravyFace (Aug 07)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)